The one tiny slip that put LulzSec chief Sabu in the FBI's pocket

IRC relays 'infiltrated by the feds'

Analysis The man named by the FBI as infamous hacktivist Sabu was undone by an embarrassing security blunder, it has emerged.

The alleged LulzSec kingpin eventually copped to a battery of hacking charges last August and was reported to have been "co-operating" with the FBI in the months leading up to yesterday's arrests.

Police locked onto Hector Xavier Monsegur, an unemployed 28-year-old from New York – allegedly LulzSec hacktivist supremo Sabu – after he apparently made the mistake of logging into an IRC chat server without using the Tor anonymisation service1.

According to Robert Graham of Errata Security Monsegur exposed his IP address, which allowed federal investigators to request records from ISPs and track down his location to a flat shared with his two sons on Manhattan's Lower East Side.

"They caught him because just once, he logged onto IRC without going through Tor, revealing to the FBI his IP address," Graham claims. "This reveals a little bit about the FBI, namely that they've infiltrated enough of the popular IRC relays to be able to get people's IP addresses. We've always suspected they could, now we know."

It's unclear precisely when investigators identified Monsegur as a prime suspect in the case. However by early June separate digital sleuthing by various parties – most notably @backtracesec and purported ex-military anti-WikiLeaks hacker The Jester (th3j35t3r) – led to the public fingering of Monsegur as Sabu.

Monsegur was NOT the only person named as Sabu2. The Jester previously named (he later apologised for his error) an innocent Portuguese web designer as a suspect, for example. Pastebin has been full of various documents giving multiple "identities" and background details for supposed members of LulzSec and Anonymous for months.

However the fact that Monsegur was named at all caused investigators to fear he would destroy evidence if they failed to act quickly. The Puerto Rican immigrant's flat was raided on 7 June last year.

Fox News reports that agents had already obtained a warrant to pull Monsegur's Facebook file, and said they found evidence that the suspect had traded credit card numbers with other hackers. This was enough to execute a warrant to seize equipment and arrest Monsegur.

The report said investigators had coerced the unemployed dad into co-operating by threatening him with two years in prison away from his children on the easy-to-prove ID theft charges alone if he failed to turn informant on the rest of the LulzSec crew. The feds also persuaded him to turn over the encryption keys on his battered laptop, allowing them to obtain evidence of Monsegur's "hacking activities".

“It was because of his kids,” an FBI source told Fox News. “He’d do anything for his kids. He didn’t want to go away to prison and leave them. That’s how we got him.”

Monsegur was bailed on the identity theft charges and returned home after agreeing to act as an informant against his erstwhile hacktivist colleagues, officials told Fox News. Neither his family nor his "brothers" in Anonymous and LulzSec were left any the wiser that he was then working as a co-operating witness, his "handlers" said.

Sabu's anti-capitalist rants and brazen boasts continued after Monsegur's changed status, they said. But a minority – most notably a hacktivist using the handle Virus – suspected he might have been acting as a federal informant around this time.

Virus was suspicious when Sabu disappeared offline for about a week and by his later alleged inducement to hack into Backtrace Security (an outfit tracing members of LulzSec) for money – an offer Virus declined. Virus confronted Sabu with his suspicions that he might be a snitch in a heated exchange, recorded on PasteBin here.

Just a normal New Yorker

These suspicions were isolated and the vast remainder of LulzSec and legions of members of hacktivist collective Anonymous continued to follow Sabu's lead.

What they didn't know was that for the last eight months or so, and certainly from the time in mid-August when Monsegur secretly pleaded guilty to a slew of hacking offences, was that the feds had been monitoring exchanges and gathering evidence against them as well as passing on information that was used to minimise the damage caused by some of the planned operations. From mid-August onwards, sources told Fox News, Monsegur allegedly worked almost out of the FBI's New York City offices almost every day.

Later his handlers allowed him to work using a laptop provided by the FBI while under close 24-hour monitoring and supervision.1

Monsegur was watched by his federal handlers while maintaining the same habits and online presence, spending between eight and 16 hours a day at his computer and often working through the night. His FBI handlers orchestrated an elaborate disinformation campaign, using the AnonymousSabu Twitter account and interviews with journalists to spread disinformation.

Ironically, the man alleged to be the frontman and chief rabble-rouser for #FuckFBIFridays – a weekly event in the Anonymous calendar – had been cheering on attacks against law enforcement systems from behind an FBI desk, while at the same time working to minimise any damage, the G-men said.

Monsegur reportedly worked with his handlers to mitigate the damage caused by the hack on 70 law enforcement websites in July 2011, minimising the amount of information that came out a month later. The suspect worked with the FBI to inform 300 government, financial and corporate entities in the US and elsewhere of problems of their systems that had come to the attention of hackers, his handlers said.

He also apparently fact-checked boastful claims frequently made by hacktivists who, as before, continued to come to Sabu with plans for operations, the FBI said.

On one occasion, at the behest of his FBI handlers, Monsegur successfully ordered the end of a DDoS attack against the CIA. “You’re knocking over a bee’s nest,” he warned his associates. “Stop.”

He then allegedly helped the FBI track down and gather evidence against his hacking associates, information that only became public with the unsealing of his indictment [PDF] and the arrest of suspected hacktivists in the US, Ireland and the UK on Tuesday.

Monsegur adapted to his new status to the point that he reportedly attempted to pass himself off as a federal agent when he was collared by New York city cops last month, Gawker reports.

Sponsored: Global DDoS threat landscape report